Security Policy

At Doc Custodian ("Company," "we," "us," or "our"), the security of your data and the integrity of our platform are priorities that we take seriously. This Security Policy ("Policy") provides an overview of the technical, administrative, and organizational security measures we implement in connection with the operation of the Doc Custodian platform and all related services (collectively, the "Service"). This Policy is provided for informational and transparency purposes only, and is intended to give you an understanding of our approach to security. This Policy does not constitute, create, or imply any warranty, guarantee, service level agreement, performance commitment, contractual obligation, or binding representation of any kind. All security measures described herein are provided on a commercially reasonable, best-effort basis, and the Company makes no warranty, guarantee, or representation that such measures will prevent all unauthorized access, data breaches, security incidents, data loss, or other adverse events.

This Policy should be read in conjunction with our Terms of Service, Privacy Policy, and Data Protection Policy, each of which is incorporated herein by reference. In the event of any conflict between this Policy and our Terms of Service, the Terms of Service shall prevail. The security measures described in this Policy may be modified, updated, enhanced, or changed at any time in our sole discretion, with or without notice, as we continue to evaluate and improve our security posture.

1. Infrastructure Security

1.1 Cloud Platform and Hosting

The Service is hosted on enterprise-grade cloud infrastructure provided by reputable and established cloud hosting providers that maintain comprehensive physical security measures, network security controls, environmental protections, disaster recovery capabilities, and operational security practices. We select infrastructure providers based on their demonstrated security track record, the breadth and depth of their security controls, their compliance posture, and their ability to meet the security requirements of our Service. The specific hosting providers, data center locations, and infrastructure configurations we use are subject to change as we evaluate and improve our infrastructure, and we do not disclose the identity of our infrastructure providers in this Policy. We do not independently audit or certify the security practices of our cloud infrastructure providers, and we rely on their published compliance certifications, security documentation, and contractual commitments.

1.2 Network Security

We implement a range of network security measures designed to protect the Service and the data transmitted to, from, and within our infrastructure, including but not limited to:

• Encryption of all external-facing network traffic using Transport Layer Security (TLS) protocols, with enforcement of current, secure protocol versions and cipher suites, and rejection of connections using outdated or known-insecure protocols
• Web application firewall (WAF) protections designed to detect and mitigate common web-based attack vectors, including but not limited to SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other application-layer threats
• Distributed denial-of-service (DDoS) mitigation capabilities provided at the infrastructure level by our cloud hosting providers, designed to absorb and mitigate volumetric, protocol, and application-layer DDoS attacks
• Network segmentation and access controls designed to isolate different components of the Service and limit the potential impact of a security compromise in any single component
• Restriction of inbound network access to only the ports, protocols, and IP ranges necessary for the operation of the Service, with all unnecessary ports and services blocked or disabled by default

2. Application Security

2.1 Authentication and Credential Management

The Service implements multiple layers of authentication and credential management controls to verify user identity and protect account access:

• Support for authentication through established third-party identity providers using industry-standard OAuth 2.0 and OpenID Connect protocols, leveraging the security infrastructure and controls of trusted identity providers to authenticate users
• Direct credential-based authentication, where applicable, with passwords securely managed through a dedicated third-party credential management service that provides secure password hashing, storage, and verification. Passwords are never stored in plaintext by the Company, and password verification is performed by the third-party service without exposing password hashes to our application layer
• Secure session management using cryptographically signed tokens stored in HTTP-only, secure cookies with appropriate SameSite attributes, with automatic session expiration after periods of inactivity and transparent session refreshing during active use to maintain security while minimizing user disruption
• Protection against common authentication attacks, including but not limited to brute-force login attempts, credential stuffing, and account enumeration, through rate limiting, account lockout policies, and other defensive measures

2.2 Authorization and Access Control

The Service enforces a comprehensive authorization model to ensure that users can only access data and perform actions for which they are authorized:

• Workspace-based multi-tenant data isolation, ensuring that each workspace's data is logically separated from all other workspaces through application-level access controls and database-level filtering that are enforced on every data access operation
• Role-based access control (RBAC) within each workspace, with distinct permission levels for different roles (such as administrator and member), ensuring that users can only perform actions appropriate to their assigned role
• Server-side authorization verification on every API request, with the system independently verifying the requesting user's identity, active workspace membership, and role-based permissions before granting access to any resource, data, or administrative function. Client-side access restrictions are always re-verified on the server side to prevent circumvention
• Workspace membership verification and enforcement as a prerequisite for all data access, ensuring that users who are not active members of a workspace cannot access, view, modify, or otherwise interact with that workspace's data under any circumstances

2.3 Input Validation and Sanitization

The Service implements comprehensive input validation and sanitization measures to protect against injection attacks and other input-based vulnerabilities:

• All user-supplied inputs, including form data, URL parameters, query parameters, request headers, uploaded file names, and API request bodies, are validated and sanitized on the server side before being processed, stored, or rendered, regardless of whether client-side validation is also applied
• Centralized input validation framework with defined validation rules, field length limits, format constraints, and character restrictions for all user-facing input fields, ensuring consistent and thorough validation across the entire application
• Protection against common web application vulnerabilities as identified by the OWASP (Open Web Application Security Project) Top 10 and similar vulnerability taxonomies, including but not limited to SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), and path traversal attacks
• File type validation, file size limits, and content inspection on all file uploads to prevent the upload and processing of malicious, corrupted, or oversized files

2.4 API Security

The Service implements security measures at the API level to protect against unauthorized access and abuse:

• All API endpoints require valid authentication credentials, and unauthenticated requests are rejected without processing
• Rate limiting and request throttling on applicable API endpoints to prevent abuse, brute-force attacks, and resource exhaustion
• Request size limits and payload validation to prevent buffer overflow attacks, denial-of-service through oversized payloads, and other payload-based attacks
• Comprehensive server-side error handling and logging, with detailed error information logged on the server for debugging and investigation purposes, and generic, non-descriptive error messages returned to clients to prevent information leakage that could assist attackers in identifying vulnerabilities or understanding system internals

3. Data Encryption

The Service implements encryption to protect data confidentiality both at rest and in transit:

• Encryption at Rest: All stored data, including User Content (documents, files, and processed data), database records, account information, and backup copies, is encrypted at rest using industry-standard encryption algorithms provided by our cloud infrastructure provider. Encryption at rest protects data stored on disk from unauthorized access in the event of physical media theft, unauthorized data center access, or other physical security compromises.
• Encryption in Transit: All data transmitted over networks, including traffic between user browsers and our servers, API communications, internal service-to-service communications, database connections, and data transfers to and from third-party providers, is encrypted using TLS protocols. We enforce the use of current, secure TLS versions and cipher suites to protect data during transmission against interception, eavesdropping, and man-in-the-middle attacks.
• Key Management: Encryption keys used to protect data at rest and in transit are managed through our cloud infrastructure provider's key management service, which provides secure key generation, secure key storage using hardware security modules (HSMs) or equivalent protections, automated key rotation, and granular access controls to ensure that encryption keys are only accessible to authorized services and personnel.

4. Document Security

Given that document management is the core function of the Service, we implement specific measures to protect the security and integrity of your documents:

• Storage-Level Access Controls: Documents are stored with workspace-level access controls that ensure only authorized users within the appropriate workspace can access, view, download, modify, or delete documents. Access controls are enforced at both the application level and the storage level.
• Time-Limited, Scoped Access URLs: When documents are served to users through the Service, access URLs are generated with time-limited validity and are scoped to the authenticated user and their authorized workspace. These URLs expire after a short period, reducing the risk of unauthorized access through URL sharing or interception.
• Processing Isolation: Documents sent to third-party services for extraction, conversion, AI analysis, or other processing are handled in isolated processing sessions. Documents are transmitted securely, processed on-demand, and are not intended to be retained by third-party processing services beyond the duration of the active processing session, subject to our contractual agreements with such providers.

5. Monitoring, Logging, and Audit Trails

We implement logging and monitoring capabilities to support security oversight, incident detection, and forensic investigation:

• Logging of API requests, including authentication events, authorization decisions, data access operations, and administrative actions, to maintain an audit trail of activity within the Service
• Activity audit trails within workspaces that record document-level operations, including uploads, downloads, modifications, deletions, sharing changes, and other document interactions, to provide workspace administrators and users with visibility into document activity
• Retention of security and operational logs for a reasonable period to support security monitoring, incident investigation, forensic analysis, and compliance with applicable legal requirements
• Error logging and exception tracking to identify, diagnose, and address application errors, performance degradation, and potential security issues

6. Incident Response

In the event that the Company becomes aware of a confirmed or suspected security incident that may affect the confidentiality, integrity, or availability of the Service or your data, we will take commercially reasonable steps to respond to the incident, which may include some or all of the following actions, as appropriate under the circumstances:

1. Detection and Initial Assessment: Identify the nature, scope, and potential impact of the incident through monitoring systems, user reports, third-party notifications, or other means, and conduct an initial assessment to determine the severity and urgency of the response required.
2. Containment and Mitigation: Take reasonable steps to contain the incident, limit its scope, and mitigate ongoing harm, which may include isolating affected systems, revoking compromised credentials, blocking malicious traffic, and implementing temporary protective measures.
3. Investigation and Root Cause Analysis: Conduct a thorough investigation to determine the cause, scope, timeline, and full impact of the incident, including identifying any data that may have been accessed, disclosed, altered, or destroyed, and determining the root cause to prevent recurrence.
4. Notification: Notify affected users and applicable regulatory authorities of the incident as required by applicable data breach notification laws and regulations. The timing, method, and content of notifications will be determined based on the requirements of applicable law, the nature and scope of the incident, and the guidance of any legal counsel or law enforcement agencies involved.
5. Remediation and Recovery: Implement corrective measures to address the root cause of the incident, restore affected systems and data to normal operation to the extent feasible, and strengthen security controls to prevent similar incidents in the future.

Notwithstanding the foregoing, the Company makes no specific commitments, guarantees, or warranties regarding incident response timelines, methods, processes, outcomes, or the completeness of any investigation or remediation. Incident response is provided on a commercially reasonable, best-effort basis, and the Company's ability to respond to and resolve security incidents may be affected by factors beyond its reasonable control, including the nature and sophistication of the attack, the cooperation of third-party service providers and law enforcement agencies, and the availability of relevant forensic data.

7. Vulnerability Management

We implement practices designed to identify, assess, and address security vulnerabilities in the Service:

• We make commercially reasonable efforts to keep application dependencies, libraries, frameworks, and system components updated with current security patches and version updates, while balancing the need for stability and compatibility
• We follow secure development practices, including code review processes, security-aware development guidelines, and the use of static analysis and security testing tools where appropriate
• We welcome and encourage responsible security research from the security community and maintain a responsible disclosure program as described in Section 9 below

We do not guarantee that all vulnerabilities will be identified or remediated within any specific timeframe. Vulnerability management is an ongoing process, and new vulnerabilities may be discovered at any time. The Company is not liable for any security incidents arising from vulnerabilities that have not yet been identified, disclosed, or remediated.

8. Business Continuity and Disaster Recovery

We implement measures designed to protect against data loss and to support the continued availability of the Service:

• Data Backups: We maintain regular backups of critical data, including User Content and Account Data, to protect against data loss resulting from hardware failure, software errors, natural disasters, or other adverse events. Backups are encrypted and stored securely.
• Service Recovery: In the event of a significant Service disruption or outage, we will make commercially reasonable efforts to restore the Service to normal operation as promptly as practicable. However, we do not guarantee, warrant, or commit to any specific recovery time objective (RTO), recovery point objective (RPO), uptime percentage, availability target, or data recovery guarantee. Service recovery is provided on a best-effort basis and may be affected by the nature and extent of the disruption, the availability of our infrastructure providers, and other factors beyond our reasonable control.
• No Uptime Guarantee: For the avoidance of doubt, the Company does not provide any service level agreement (SLA), uptime guarantee, availability commitment, or performance guarantee of any kind. The Service is provided on an "as available" basis, and the Company shall not be liable for any downtime, interruptions, data loss, or performance degradation, regardless of the cause.

9. Responsible Disclosure Program

We value the contributions of security researchers and the broader security community in helping us identify and address potential security vulnerabilities in the Service. If you discover or believe you have discovered a security vulnerability in the Service, we encourage you to report it to us responsibly and privately using the contact information provided below:

• Email: customerservice@doccustodian.com

When reporting a potential vulnerability, please provide sufficient technical detail and, where possible, proof-of-concept information to allow us to understand, reproduce, and assess the reported issue. To facilitate a productive and responsible disclosure process, we ask that you: (a) make a good-faith effort to avoid privacy violations, destruction of data, service disruption, and degradation of user experience during your research; (b) do not access, modify, delete, or exfiltrate data belonging to other users; (c) give us reasonable time to investigate and address the reported vulnerability before publicly disclosing any details; and (d) comply with all applicable laws in connection with your security research activities.

We will make reasonable efforts to acknowledge receipt of vulnerability reports and to provide a general timeline for assessment and resolution. We will not pursue legal action against security researchers who report vulnerabilities in good faith and in compliance with the guidelines outlined above. However, we make no commitments regarding specific response timelines, the implementation of any particular fix, or the eligibility for any recognition or compensation for reported vulnerabilities.

10. Disclaimer of Security Warranties

WHILE THE COMPANY TAKES REASONABLE STEPS TO IMPLEMENT APPROPRIATE SECURITY MEASURES FOR THE SERVICE, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT NO SYSTEM, NETWORK, APPLICATION, DATABASE, OR DATA STORAGE MECHANISM IS COMPLETELY SECURE, AND THE COMPANY CANNOT AND DOES NOT WARRANT, GUARANTEE, OR REPRESENT THAT ITS SECURITY MEASURES WILL PREVENT ALL UNAUTHORIZED ACCESS, DATA BREACHES, CYBERATTACKS, DATA LOSS, DATA CORRUPTION, SECURITY INCIDENTS, OR OTHER ADVERSE EVENTS. THE SECURITY MEASURES DESCRIBED IN THIS POLICY ARE PROVIDED ON A COMMERCIALLY REASONABLE, BEST-EFFORT BASIS AND DO NOT CONSTITUTE, CREATE, OR IMPLY ANY WARRANTY, GUARANTEE, SERVICE LEVEL AGREEMENT, PERFORMANCE COMMITMENT, OR CONTRACTUAL OBLIGATION OF ANY KIND. YOUR USE OF THE SERVICE AND YOUR DECISION TO STORE, PROCESS, OR TRANSMIT DATA THROUGH THE SERVICE IS ENTIRELY AT YOUR OWN RISK. FOR IMPORTANT LIMITATIONS ON THE COMPANY'S LIABILITY, PLEASE REFER TO THE LIMITATION OF LIABILITY AND DISCLAIMER OF WARRANTIES SECTIONS IN OUR TERMS OF SERVICE, WHICH ARE INCORPORATED HEREIN BY REFERENCE.

11. Changes to This Security Policy

We reserve the right to modify, amend, update, or replace this Security Policy at any time and from time to time, in our sole discretion, as we continue to evaluate and improve our security practices. When we make changes, we will update the "Last updated" date at the top of this page. We encourage you to review this Policy periodically. Your continued use of the Service following any changes to this Policy constitutes your acceptance of such changes.

12. Contact Us

If you have any questions, concerns, or comments about this Security Policy, our security practices, or if you need to report a security vulnerability, concern, or potential incident, please contact us using the following information:

• Email: customerservice@doccustodian.com
• Website: doccustodian.com